Radio Hack Steals Keystrokes from Millions of Wireless Keyboards

YOU SHOULD BE able to trust your wireless keyboard. And yet security researchers have been warning people to be suspicious of wireless computer accessories using sketchy radio protocols for years. Those warnings peaked five months ago, when hackers at the security firm Bastille found that millions of cheap keyboard and mouse dongles let hackers inject keystrokes onto your machine from hundreds of yards away. Now, in case you missed that message, the same researchers have extended their attack to millions more devices—and this time, they can not only inject keystrokes, but also read yours, too.

On Tuesday Bastille’s research team revealed a new set of wireless keyboard attacks they’re calling Keysniffer. The technique, which they’re planning to detail at the Defcon hacker conference in two weeks, allows any hacker with a $12 radio device to intercept the connection between any of eight wireless keyboards and a computer from 250 feet away> What’s more, it gives the hacker the ability to both type keystrokes on the victim machine and silently record the target’s typing.

The keyboards’ vulnerability, according to Bastille’s chief research officer Ivan O’Sullivan, comes from the fact that they all transmit keystrokes entirely without encryption. The manufacturers’ only plan against attackers spoofing or eavesdropping on their devices’ communications is to depend on the obscurity of the radio protocols used. “We were stunned,” says O’Sullivan. “We had no expectation that in 2016 these companies would be selling keyboards with no encryption.”

In a detailed website Bastille created to document their attack and the vulnerabilities it exploited, they list keyboards from HP, Toshiba, Radio Shack, Kensington, Insignia, General Electric, Anker and EagleTec as vulnerable to Keysniffer. Instead of connecting to computers via Bluetooth, which is standardized and has undergone extensive security testing, all of these devices use one generic alternative or another. Six of them use transceiver chips from a company called Mozart Semiconductor, and the other two use their own non-Bluetooth chipsets. Bastille’s researchers say going generic saves manufacturers money, but also means devices don’t get the better-tested encryption built into the Bluetooth standard.

In this case, the generic connections seem to have left the devices with virtually no real security at all. After a few weeks of painstaking reverse engineering work with a software-defined radio—an increasingly common tool for hackers exploring obscure radio frequencies—Bastille researcher Marc Newlin was able to recognize and reproduce any keystroke sent by the keyboards based on their radio signals alone. “There were no specifications,” says Newlin. “The only reason these devices had been operating under the radar is because no one had taken the time to reverse engineer them.”

Newlin also rewrote the firmware of a $12 Geeetech Crazyradio dongle to speak the obscure keyboard protocols he’d analyzed. With that plugged into a laptop, Newlin can, from hundreds of feet away, read or write keystrokes to any computer connected to one a vulnerable keyboards. He estimates he could increase that range with a Yagi antenna.

Earlier this year, Newlin used that same setup to demonstrate an attack Bastille called Mousejack. Mousajack affected a broad collection of other wireless keyboards and mice, and was based on Newlin’s discovery that many of the USB dongles those devices connected to were mistakenly programmed to accept unencrypted keystrokes if a hacker sent them, allowing an interloper to type on—but not actually read keystrokes from—your machine. But with Mousejack, you’d know when you were being hacked. Keysniffer’s invisible eavesdropping on keystrokes represents a far stealthier attack.

Keysniffer isn’t the first keyboard-eavesdropping technique of its kind. As early as 2009 researchers broke the weak encryption of Microsoft wireless keyboards to create a keyboard-sniffing tool called KeyKeriki. And last year hacker Samy Kamkar demonstrated the vulnerability of Microsoft’s wireless keyboards again: He released code and specs for anArduino-based tool called KeySweeper that plugs into a power outlet, impersonates a cell-phone charger, and both injects and sniffs keystrokes. The FBI went so far as to post a public advisory to be on the lookout for those KeySweeper spy devices, but hasn’t confirmed if any such attacks have actually hit businesses or government agencies.

Bastille’s work goes a step further than those Microsoft keyboard attacks. First, it shows that far more than a single manufacturer is vulnerable to the wireless keyboard radio hacks. And Newlin points out that unlike Microsoft’s target keyboards, the eight he analyzed all transmit information from their USB dongles at all times, waiting for a keyboard to respond to their communications. The Microsoft keyboards KeySweeper attacked, by contrast, only transmit at certain moments, like when someone starts typing. That means a hacker looking for targets could simply point an antenna at an office building and pick up radio signals from any of the hackable keyboards in it. “The fact that these keyboards are ‘louder’ makes the problem even worse,” says Kamkar.

When WIRED reached out to the affected manufacturers, EagleTec said it was still looking into Bastille’s research. Insignia denied that any of its keyboards lacked encryption, contradicting Bastille’s findings—though Bastille says it rechecked its test against Insignia’s keyboards and was able to successfully repeat the attack. Most of the companies didn’t respond to WIRED’s request for comment. Only Jasco, the company that makes the vulnerable GE keyboard, admitted to the problem and said it “will work directly with…customers of this product to address any issues or concerns,” asking that owners of the vulnerable keyboardscontact its customer support. But Bastille says that there’s no easy fix for the vulnerabilities it’s found, since the wireless devices don’t have a mechanism to push out a patch. Instead, the company is advising that anyone who owns one of the hackable devices switch to a wired keyboard, or at least one that uses actual Bluetooth.

For the security savvy, that’s not a new piece of advice; the work of researchers like Kamkar and the KeyKeriki developers should have put manufacturers of non-bluetooth wireless peripherals on notice years ago. But Kamkar says the breadth of the KeySniffer research makes that lesson clearer than ever. “They’re demonstrating that more vendors aren’t doing this right, and this is the most critical input device we have on a computer,” Kamkar says, “If they can sniff and inject, it’s game over.”